steven m. bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · case study: mobile...
TRANSCRIPT
![Page 1: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/1.jpg)
Thinking Security
Steven M. Bellovinhttps://www.cs.columbia.edu/˜smb
Steven M. Bellovin October 29, 2015 1
![Page 2: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/2.jpg)
Change
‘Once in ancient days, the then King of England told Sir ChristopherWren, whose name is yet remembered, that the new Cathedral of St. Paulwhich he had designed was “awful, pompous and artificial.” Kings haveseldom been noted for perspicacity.’
. . .
Steven M. Bellovin October 29, 2015 2
![Page 3: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/3.jpg)
Change
‘Once in ancient days, the then King of England told Sir ChristopherWren, whose name is yet remembered, that the new Cathedral of St. Paulwhich he had designed was “awful, pompous and artificial.” Kings haveseldom been noted for perspicacity.
. . .
‘In the case of the King and Sir Christopher, however, a compliment wasintended. A later era would have used the words “awe-inspiring, stately,and ingeniously conceived.”’
(Poul Anderson, A Tragedy of Errors)
Steven M. Bellovin October 29, 2015 3
![Page 4: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/4.jpg)
More than Language Changes
• Businesses change
• Threats change
• Technology changes
+ How can we build secure systems, ina rapidly changing environment?
Steven M. Bellovin October 29, 2015 4
![Page 5: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/5.jpg)
Steven M. Bellovin October 29, 2015 5
![Page 6: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/6.jpg)
Businesses and Threats
• What do you want to protect?
• Against whom?
+ These are the first two questions to ask in any security scenario
Steven M. Bellovin October 29, 2015 6
![Page 7: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/7.jpg)
Assets
• Different assets requiredifferent levels ofprotection
• Contrast the value ofcelebrity photos with thisvery ordinary picture Itook
• Security measures haveto be commensurate withthe value of the assets
Steven M. Bellovin October 29, 2015 7
![Page 8: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/8.jpg)
Assets and Hackers
• Different kinds of assets attract different kinds of hackers
• The NSA probably isn’t interested in nude celebrity selfies
• (But they may want such pictures if taken by one of their targets.)
• They’re very interested in military and political information
• Most hackers, though, want money
+ They’ll go after anything they can monetize
Steven M. Bellovin October 29, 2015 8
![Page 9: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/9.jpg)
Hackers
• Different kinds of hackers have different skill and different goals
• They also have different degrees of focus—do they really care whatthey get?
Steven M. Bellovin October 29, 2015 9
![Page 10: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/10.jpg)
The Threat Matrix
Ski
ll−→ Opportunistic hacks Advanced Persistent Threats
Joy hacks Targeted attacks
Degree of Focus −→
Steven M. Bellovin October 29, 2015 10
![Page 11: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/11.jpg)
Joy Hackers
• Little skill (mostly runs canned exploit scripts), not very good targetselection
• Describes most novices
• Doesn’t really care about targets—anyone they can succeed againstis whom they were aiming for
• They can do damage, but ordinary care is generally sufficient
Steven M. Bellovin October 29, 2015 11
![Page 12: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/12.jpg)
Opportunistic Hackers
• Skilled, often very skilled, but they also don’t care much about targets
• Most viruses are written by this class of attacker
• Generally speaking, their goal is money: credit cards, bank accountcredentials, spambots, etc.
• Quite dangerous—but if you’re good enough, they’ll switch targets
Steven M. Bellovin October 29, 2015 12
![Page 13: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/13.jpg)
Targetiers
• (An ancient word whose meaning I’m changing. . . )
• Attackers who target you specifically, but aren’t that skilled
• Will do in-depth research on their targets, and tailor their attacksaccordingly
• May even exploit physical proximity
• Sometimes a disgruntled insider or ex-insider
• Again, quite dangerous
Steven M. Bellovin October 29, 2015 13
![Page 14: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/14.jpg)
Advanced Persistent Threats
• Very skilled attackers who focus on particular targets
• The best attackers in this class are national intelligenceagencies—you know the countries on the list as well as I do. . .
• May discover and employ “0-days”—holes for which no patches exist,because the vendor doesn’t know of the problem
• May employ advanced cryptographic techniques
• Will employ non-computer means of attack as a complement“The Three Bs: burglary, bribery, and blackmail”
• No high-assurance defenses
Steven M. Bellovin October 29, 2015 14
![Page 15: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/15.jpg)
APT
Apt: An Arctic monster. A huge, white-furred creature with six limbs, fourof which, short and heavy, carry it over the snow and ice; the other two,which grow forward from its shoulders on either side of its long, powerfulneck, terminate in white, hairless hands with which it seizes and holds itsprey. Its head and mouth are similar in appearance to those of ahippopotamus, except that from the sides of the lower jawbone two mightyhorns curve slightly downward toward the front. Its two huge eyes extendin two vast oval patches from the centre of the top of the cranium downeither side of the head to below the roots of the horns, so that theseweapons really grow out from the lower part of the eyes, which arecomposed of several thousand ocelli each. Each ocellus is furnished withits own lid, and the apt can, at will, close as many of the facets of his hugeeyes as he chooses.
(Edgar Rice Burroughs, Thuvia, Maid of Mars)Steven M. Bellovin October 29, 2015 15
![Page 16: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/16.jpg)
Who are the APTs?
• The US blames China and Russia (and says that while China gets allthe attention, Russia is a bigger threat)
• China blames the US. (So do most other countries. . . )
• Iran blames Israel
• Israel blames Iran and Iranian-backed Palestinians
• Supposedly, North Korea hacked Sony
• Etc.
• I’ll blame beings from the Andromeda galaxy—this way, I don’t havetake sides
Steven M. Bellovin October 29, 2015 16
![Page 17: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/17.jpg)
Assessing Risk
• What assets do you have?
• What classes of attackers would be interested in them?
• How powerful are those attackers?
• How much security can you afford?
Steven M. Bellovin October 29, 2015 17
![Page 18: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/18.jpg)
Business and (In)Security
• The purpose of a business (or other organization, but for simplicity I’llspeak of businesses) is not to stay secure
• Rather, it’s to achieve certain goals
• From that perspective, insecurity is simply a cost, not a state of sin
• So are security measures. . .
• What is the right tradeoff?
Steven M. Bellovin October 29, 2015 18
![Page 19: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/19.jpg)
Insecurity
• I’ll repeat that: insecurity is not a state of sin
• It is perfectly reasonable to omit certain security measures if theircost is too high relative to the threats you face
• However—be very, very certain that you understand the assets at riskand who might go after them
Steven M. Bellovin October 29, 2015 19
![Page 20: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/20.jpg)
Target Selection
• The attackers have gotten quite sophisticated at target selection
• They’ve gone after little-known sectors like credit card paymentprocessors
• Governments often want to build up their own industries, whichmeans that industrial secrets of any sort are at risk from APTs
• Passwords from otherwise-uninteresting sites may be valuablebecause people tend to reuse passwords elsewhere, including onfinancial sites
• Don’t forget your company’s legacy systems
Steven M. Bellovin October 29, 2015 20
![Page 21: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/21.jpg)
Case Study: Manning and the Wikileaks Cables
• Much of the US government has come to believe that too muchcompartmentalization was bad, and loosened access controls onsome information
• Their defenses against external attackers were pretty good
• They thought there were no insider risks
• Result: Manning downloaded ˜250,000 “cables” and leaked them
• (To the NSA, Snowden was also an inside attack)
• Manning was a targetier
Steven M. Bellovin October 29, 2015 21
![Page 22: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/22.jpg)
Case Study: Mobile Phone Cloning
• Early US mobile phones were easily cloned: an eavesdropper couldpick up ESN/MIN pairs over the air, and burn one into another phone
• The designers had realized this, but overestimated the cost of theattack, the skill level required, and the distribution of such skills
+ Electronics repair technicians simply bought off-the-shelf test gear
• They assumed limited use of mobile phones (not many targets) and amotive of cost-avoidance
• In fact, phones became widespread, and the motive was criminalswishing to avoid wiretaps
+ The attack was easier and the attackers had stronger motives thanhad been anticipated
• An opportunistic attackSteven M. Bellovin October 29, 2015 22
![Page 23: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/23.jpg)
Case Study: The Crazy Neighbor Attack
• A family angered a neighbor by (justifiably) calling the police about hisbehavior
• He spent weeks cracking their WiFi password, hacking theircomputers, and attempting to frame them for various crimes,including child pornography, sexual harassment, and threatening theVice President
• The family’s defenses assumed opportunistic attackers, but they weretargeted
Steven M. Bellovin October 29, 2015 23
![Page 24: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/24.jpg)
Assumptions
• Why should technology changes affect our security reasoning?
• Speed? Applications? Bandwidth?
• Many of our security architectures are built around implicitassumptions—and since we don’t know what they are, we don’t reactwhen they’re violated
• We have to identify those assumptions
Steven M. Bellovin October 29, 2015 24
![Page 25: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/25.jpg)
Example: Passwords
• Assumption: attacker’s computational power is a very small numberof computers
+ Today, they have botnets with GPUs
+ Result: guessing attacks are far more effective
• Assumption: users are primarily employees, who could be trained
+ Today, it’s mostly users who will shop or bank elsewhere if they don’tlike a site’s rules
+ That’s why popular passwords include ”123456”, ”12345”, ”password”,”iloveyou”, etc.
Steven M. Bellovin October 29, 2015 25
![Page 26: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/26.jpg)
We Won’t Identify All Implicit Assumptions
• We can’t—by definition, they’re implicit
• We can try asking, in different places, “why do you think this issecure?”
• In addition, deployed architectures should be reviewed every fewyears, to ensure that it is still sound and to exam unreviewed changesto the architecture
Steven M. Bellovin October 29, 2015 26
![Page 27: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/27.jpg)
Thinking About Insecurity
• In order to know how to defend systems, you have to know how toattack them
• What sorts of attacks are launched?
• Why do they sometimes succeed when you did get the threat modelcorrect?
Steven M. Bellovin October 29, 2015 27
![Page 28: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/28.jpg)
Thinking Sideways
• Attacks frequently succeed when the attacker thinks of an inputpattern that the programmer didn’t anticipate
• If the choices for an exam question are (a), (b), or (c), enter (d)
• If you that doesn’t work, can you sabotage the test?
• “You don’t go through strong security, you go around it”
Steven M. Bellovin October 29, 2015 28
![Page 29: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/29.jpg)
Attackers Don’t Follow the Rules
• Requirements document: “Program must accept input lines of 1024characters”
• Programmer: “char buf[1025]; // leave room for NUL byte”
• Tester: “It accepted the 1024-byte test line; requirement fulfilled”
• Hacker: “What happens if I send 2000 bytes?”
Steven M. Bellovin October 29, 2015 29
![Page 30: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/30.jpg)
Little Bobby Tables
(http://xkcd.com/327/)
Steven M. Bellovin October 29, 2015 30
![Page 31: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/31.jpg)
And in Real Life
(http://alicebobandmallory.com/articles/2010/09/23/did-little-bobby-tables-migrate-to-sweden)
Steven M. Bellovin October 29, 2015 31
![Page 32: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/32.jpg)
Security is a Systems Problem
• You don’t get security by adding on crypto
• You don’t get security by requiring strong passwords
• You don’t get security by adding firewalls
• All of these help—but components interact, and it’s often theinteractions that cause the problems
• Example: if you encrypt a file, you move the insecurity from the file’sstorage to the key’s storage—and you risk losing the file if you losethe key
Steven M. Bellovin October 29, 2015 32
![Page 33: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/33.jpg)
Breaking Web Cryptography
• Suppose you want to read encrypted web traffic
• You can: (a) break RSA; (b) break RC4 (allegedly, the NSA can) orAES; (c) hack a certificate authority and issue yourself a fake cert forthat site; (d) find a flaw in the SSL implementation and use it torecover the private key (Heartbleed and many more); (e) hack theweb server or the client systems to send you the plaintext; (f) bribe aserver site employee to plant a back door for you; (g) etc.
+ Which is easiest? It depends!
Steven M. Bellovin October 29, 2015 33
![Page 34: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/34.jpg)
Evaluating System Designs
• How do we avoid these traps?
• Draw the system diagram
• For each node and each link:
– Assume that it has been compromised
– Assess the odds of this happening
– What are the consequences?
For each serious situation, where the odds are high and theconsequences serious, find a defense
Steven M. Bellovin October 29, 2015 34
![Page 35: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/35.jpg)
Conclusions
• Analyze the risks: what are you protecting, and against whom?
• How powerful are your adversaries?
• Who can take out which elements of your systems?
• How can you stop them?
Steven M. Bellovin October 29, 2015 35
![Page 36: Steven M. Bellovin œsmbstats.research.att.com/nycseminars/slides/smb.pdf · Case Study: Mobile Phone Cloning Early US mobile phones were easily cloned: an eavesdropper could pick](https://reader034.vdocument.in/reader034/viewer/2022042108/5e87e04832dbc349a573f55f/html5/thumbnails/36.jpg)
Steven M. Bellovin October 29, 2015 36